Guidance document available for health information custodians on reporting health privacy breaches

Starting on October 1, 2017, it will be mandatory for anyone who deals with health information to report certain privacy breaches to the Information and Privacy Commissioner (IPC).

Designed to better protect patient privacy and improve accountability and transparency in the health care system, the new amendments to the Personal Health Information Protection Act will help to ensure that health information is safe, confidential, and only accessible to patients and health information custodians (custodians) when they need it.

In order to assist custodians in understanding the new requirements, today we released a guidance document to explain the reporting criteria described in the regulation, and to assist organizations in determining when to notify my office of a privacy breach.

You can download the guidance document for Mandatory PHIPA breach reporting here.

Custodians will also be required to start tracking privacy breach statistics as of January 1, 2018, and will be required to provide the IPC with an annual report of the previous calendar year’s statistics, starting in March 2019. Further guidance on this statistical reporting requirement will be released later this fall.

This post is also available in: French

Media Contact

For a quick response, kindly e-mail or phone us with details of your request such as media outlet, topic, and deadline:
Telephone: 416-326-3965

Social Media

The IPC maintains channels on Twitter, YouTube and Linkedin in its efforts to communicate to Ontarians and others interested in privacy, access and related issues.